I am using web2py 1.74.5.
In Auth.retrieve_password() after form.accepts(...), there is a check
that the email address corresponds to a valid user.
Next there is a check of the user's registration_key value, however it
reads:
elif users[0].registration_key[:7] in ['pending', 'disabled']:
self.environment.session.flash = \
self.messages.registration_pending
redirect(self.url(args=request.args))
The users[0].registration_key[:7] only checks the first 7 characters
of the registration_key, which truncates 'disabled' to 'disable' and
fails the comparison as the truncated string is not in the list. What
happens is that a disabled user's account will be automatically
enabled and they will be emailed a new password.
Really, the [:7] bit is not necessary or, if retained, should be
increased to [:8] in order to return the first 8 characters of the
'disabled' string.
Or am I missing something?
--
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en.
